diff options
author | Jamie Liu <jamieliu@google.com> | 2020-05-04 18:00:56 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-05-05 09:19:52 -0700 |
commit | 35951c3671f3d429399eb581ad9da3b56e2a5f5a (patch) | |
tree | 292f00eb8943be7cdf261bfeb75bd9b517b96d69 /pkg/sentry/fs/inode_overlay.go | |
parent | da71dc7fddda387232b243c6176de21a1208ad0c (diff) |
Translate p9.NoUID/GID to OverflowUID/GID.
p9.NoUID/GID (== uint32(-1) == auth.NoID) is not a valid auth.KUID/KGID; in
particular, using it for file ownership causes capabilities to be ineffective
since file capabilities require that the file's KUID and KGID are mapped into
the capability holder's user namespace [1], and auth.NoID is not mapped into
any user namespace. Map p9.NoUID/GID to a different, valid KUID/KGID; in the
unlikely case that an application actually using the overflow KUID/KGID
attempts an operation that is consequently permitted by client permission
checks, the remote operation will still fail with EPERM.
Since this changes the VFS2 gofer client to no longer ignore the invalid IDs
entirely, this CL both permits and requires that we change synthetic mount point
creation to use root credentials.
[1] See fs.Inode.CheckCapability or vfs.GenericCheckPermissions.
PiperOrigin-RevId: 309856455
Diffstat (limited to 'pkg/sentry/fs/inode_overlay.go')
0 files changed, 0 insertions, 0 deletions